Security Panel Warns IoT Will Change the Security Game

The year 2020, once a faraway-sounding era of future scientific marvels, is now only four short years away. When we get there we may still not have those flying cars we were promised decades ago, but the world will be very different than it is today.

“There’s no doubt the hyper-connected world of 2020 will change how we live, work and play,” said Symantec CEO Michael Brown in an afternoon presentation Thursday at the RSA Conference.

The question is will we be more secure?

One thing that will need to happen in Brown’s view is a new approach to security and a reset or paring down of the vast numbers of security products enterprises currently have to choose from and deploy. By some industry estimates the typical enterprise deploys at least 30 distinct security products.

“There’s a fragmentation of (security) solutions and customers are saying, ‘Enough!’,” said Brown.

After his opening remarks, Brown brought a panel of three experts on stage to discuss what to expect, or at least what needs to be done, to ensure better security in the years ahead.

Daniel Conroy, Chief Information Security Officer (CISO) at Synchrony Financial, compared the current state of security to how sports teams prepare for an opponent.

“In sports you need to know the team you’re playing. In security we don’t know who we’re playing and in many cases we don’t even know what the sport is,” he quipped.

One idea, Conroy pitched is a Wikipedia-style database of threats that could be freely shared and updated. If such a database was open to anyone, there could be disadvantages to making that information available to the bad guys, but Conroy says overall the sharing would benefit the greater good.

Continuing with the sports theme, Conroy talked about what the rise of the Internet of Things will do from a security perspective. “IoT changes the attack surface,” he said. “It’s like the Super Bowl in 2007 was one team playing another. Today it’s more like one team playing the whole stadium… We have to change the game there.”

Brown said the number of IoT devices is expected to grow from about five billion today to over 50 billion in the next five years. Drones are just one of the new devices just starting to appear. He noted that a security researcher who spoke at RSA on Wednesday said it’s possible to compromise the security of a high-end drone and crash it from a mile away.

Samir Kapuria, who heads Symantec’s Global Cyber Security Business Unit, said that what constitutes cyber expertise today continues to evolve as will the scope of what security pros are expected to guard against. “Look at your SOC (Security Operations Center) for the next four years and ask whether you have trust with your suppliers,” he said.

Kapuria recommends businesses ask questions and research their supply chain because when there’s a security breach that originates with a partner, there can be both economic and reputation consequences for your company.

“We need to understand suppliers and customer’s networks,” said Brown. There needs to be a way of monitoring those networks and some form of analytics.”

The third panelist, Troels Oerting, CISO at Barclays, said cloud computing also presents security challenges. With 50 million financial customers spread across 50 countries, Barclays is using a combination of on premise, public and private cloud services. Oerting said it requires ongoing research and vigilance to ensure Barclays can provide the security and privacy customers expect, as well as the convenience they demand.

Futuristic Attacks

Brown said new kinds of attacks that might have seen like science fiction in the early part of this century have become reality. He referred specifically to the first cyber attack on physical infrastructure controlled by computers, which is what happened in Iran in 2010 when centrifuges in its nuclear facility were attacked by the infamous Stuxnet virus. And late last year Ukraine’s power grid was compromised by hackers.

In a pitch for his own company, Brown said the “New Symantec” gets data from 200 million sensors globally and protects a billion IoT devices along with millions of websites.

“Security analytics are important,” he said. “But you have to start with a volume and diversity of data to take advantage of it.”